123 Compute.Net

On Security

About
Home
Archives
Debates
Tools
Sidelines
SiteMap

Index

Guidelines for Desktop Security

VBS.LoveLetter.A and VBS.LoveLetter. FWD.A

"Explore.exe" spreads through trust, destroys files on Windows

6/10/99 "Explore" infects Windows desktops. It spreads between networks via email and within networks through self-replication. Explore email appears as a reply to mail you've previously sent. If your correspondent is infected, his (her) machine automatically generates a response to your mail that includes its subject header and invites you to open an attached (and lethal) executable file. To protect against Explore, all windows users should use a virus protection program and regularly update their virus definitions files . Go to McAfee or Symantec now for latest update!

"Melissa" overwhelms email servers.

4/4/99 "Melissa" is an example of a macro virus, the most common type of computer virus. "Macro" refers to an easy-to-write script that executes a series instructions. For example, a Microsoft Word macro could be written that selected a file on the desktop, and then deleted it. Unfortunately hackers can take advantage of macros to write scripts that execute their own instructions on someone else's computer.

Most macro virus are designed to subvert macro scripting found in Microsoft Office products, which are the most common macro-enabled programs on users' desktops. Newer versions of MS Office warn you if you about to open a document that will execute a macro. It's best to keep this warning feature enabled, and to refuse to run macros unless you are quite sure you know who wrote it, and that you need it.

3/26/99: The "Melissa" macro virus spreads via email received in Outlook 98, 97 or other Microsoft Exchange-based mail clients. If a user opens the accompanying attachment ( an MS Word macro originally named "list.doc"), the virus sends out mail to the first 50 addresses from the Personal Address Book and Contacts list. Though inflicting no apparent harm to users, Melissa generates such huge volumes of new email traffic that by Friday, March 26th, it had brought down several corporate email servers. Sendmail, a company whose software is used to direct mail on the Internet, has posted a fix for its software. Meanwhile, end users using Outlook (or other Microsoft Exchange email clients) and Microsoft Word should carefully check file names of attachments before opening and, if given the choice, refuse to run macros when opening documents that contain them. For more information see news.com. and MicroTrend articles.

AutoStart Worms (Macintosh)

For latest AutoStart news and resources, see Macintouch's Special AutoStart Worm Report.

WormScanner freeware can 'disinfect' Macs harboring AutoStart 9805 worms, variants A through F, that standard virus protection programs may not be able to eradicate.

 

Email Security

If your email program has been publicly identified as insecure you should take the time to patch it or update to a newer, secure, version. There are no reports of anyone actually taking advantage of the flaws documented below. But with the front page publicity they've received, it may only be a matter of time.

Network Administrators: Sendmail's patch may be the best solution for networks running Microsoft's Outlook Express, Outlook 98 and/or Netscape Mail (which all suffer from the "Long Filename" flaw) because it avoids having to update each desktop client. However, it does not protect against the Eudora 4.0X (Windows) flaw, first reported in early August, 1998, and resolved at the end of September with the release of Eudora 4.1

Desktop Users: If you use Eudora 4.0X for Windows, update to Eudora 4.1 If you use Netscape or Microsoft mail programs check your program version, refer to "Long Filename" flaw below, and update/patch as necessary.

See Markoff Explains for information about the programming that led to some of these security problems.

 

September 30, 1998

Eudora 4.1 is available. Security issues surrounding html viewer are lessened by supporting Quicktime 3.0, and having the default for html viewing set to off.

 

August 20, 1998

Eudora 4.0X (Windows) Alert Update

Qualcomm has posted instructions for turning off Microsoft Viewer in Eudora, which will plug a security hole until the company releases Eudora 4.1, which they "believe" will fix the problem. So while you're waiting for a permanent fix, your choices are the following:

Turn off the Viewer yourself or

Upgrade to version 4.0.2, whose default setting enabling *Viewer is OFF or

Download Eudora 4.1 (beta)

Site-licensed copies of these versions of Eudora may be obtained from your university or company's server. If you purchased your copy, go to Qualcomm's Eudora site to download upgrades.

NOTE that whether you upgrade to 4.1 (which will enable you to use an html Viewer safely and see complex formats such as tables and charts), or choose to simply turn off Microsoft insecure Viewer, you should have updated virus protection in place to check all incoming files, including email attachments.

*In Versions 4.0-4.01, the "Use Microsoft Viewer" option is ON by default, enabling the security hole. In version 4.0.2, that option has been replaced by "Allow executables in HTML content", whose default setting is OFF. We assume this prevents the use of MS Viewer, and that we will have to wait for Eudora 4.1 before we can safely use a secure viewer that requires executables in HTML content.

 

August 11, 1998

"Long-Filename" Worm Alert Update 2

About forthcomimg Sendmail patch for servers. Directions to patch will be posted at http://www.sendmail.org/security.html

 

August 7, 1998

Eudora 4.0x (Windows) Alert

Another serious email security problem, this one affecting Eudora 4.0, 4.01 for Windows, has been reported. Qualcomm says it will post a patch this afternoon.

Meanwhile, protect yourself by turning off Microsoft Viewer. To do this, open Eudora. Go to Tools menu>Options>Viewing Mail. Uncheck "Use Microsoft's Viewer". This ensures that all attachments will reveal themselves as icons that must be clicked to be opened.

NOTE (again!) that whether you patch or simply turn off the Viewer, you should have updated virus protection in place to check all incoming files, including email attachments.

 

July 30, 1998

"Long Filename" Worm Alert Update 1

The New York Times reports today that Microsoft doesn't expect to have a fix ready until the end of the week. Netscape will offer a solution in the next release of Netscape Mail, scheduled for August 7th.

Programs/systems vulnerable to the "Long Filename" worm are:

Outlook Express and Outlook 98 for Windows 95, 98, NT 4.0, Macintosh, and DEC Alpha. Windows 3.1 and NT 3.51 versions are not vulnerable.

Netscape Mail versions 4.05, 4.5b1 on Windows 95, 98 and Windows NT. Versions for Macintosh and Unix systems are not vulnerable.

Go to Microsoft's and Netscape's security pages to review the latest information and download patches and upgrades.

 

July 29, 1998

"Long Filename" Worm Alert

A serious security flaw has been uncovered in Microsoft and Netscape email products. Attachments sent via Outlook Express, Outlook 98, or Netscape Mail can harbor malicious code that can do anything a hacker tells it to do, from stealing data to erasing hard disks. Today's New York Times reported that Qualcomm's Eudora, another popular email program, is not vulnerable.

The coding flaw, which has been know about for over three decades, takes advantage of a buffer that stores units of incoming data. If a data unit is too long it can overflow the buffer, causing the program to crash. Another piece of code can then trick the computer into running itself instead. Reports in the San Jose Mercury News and New York Times note that coding flaws in Microsoft's Outlook 98 are particularly pernicious because the worm can infiltrate without user-initiated action, such as opening email.

The flaw was discovered early last month by a security research group working at the University of Oulu in Finland. Though there are no known cases of hackers exploiting the flaw, Larry Cooper, who runs the respected NTBugTraq site, forced both Netscape and Microsoft to publicly address the problem by threatening to publicize it if they didn't. Cooper claims that warnings sent from the Oulu group to both companies in June were ignored. (SF Examiner, 7/29/98)

Microsoft and Netscape are posting patches on their web sites. (Microsoft has already replaced a patch it posted Monday, 7/27, because it did not work.) Symantec, a major virus software company, is quoted as saying they would not be able to offer detection or repair soon. It appears they see this as a problem best solved by Microsoft and Netscape code patches.

Top

___________________________________________________________________________________

Created 7/30/98. Last updated Tuesday, January 15, 2008

Email comments and questions to webmaster@123compute.net.

About
Home
Archives
Debates
Tools
Sidelines
SiteMap